Splunk Search

Sort year month string in timechart legend

splunkmasterfle
Path Finder

Hi,

I am trying to sort the legend in my timechart chronologically but can't seem to make it work.

This is my search:



index=batch
| rex field=partName "regular(?<tmpPartName>.*)"
| rex field=tmpPartName "(?<partNameMonth>[a-zA-Z]+)[0-9]+"
| rex field=tmpPartName "[a-zA-Z]+(?<partNameYear>[0-9]+)"
| eval newPartName = partNameYear + " " + partNameMonth
| timechart span=1d limit=15 sum(duration) by newPartName

Sample values for the field partName:



regularjan15
regularmar15
regularapr15
regularmay15
regularfeb15
regularnov14
regularoct14
regulardec14

Anyone have an idea how I can do this ?

Tags (4)
0 Karma

lguinn2
Legend

I would do this:

index=batch
| rex field=partName "regular(?<tmpDate>.*)"
| eval newPartName = strftime(strptime(tmpDate,"%b%y"),"%Y-%m")
| timechart span=1d limit=15 sum(duration) by newPartName
0 Karma

splunkmasterfle
Path Finder

This is what I ended up doing. Thank you for all the help!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If its acceptable to you, you can go with format like this "%Y - %m (%b)". This will get sorted properly and it does shows the string format month as well.

2014 - 04(Apr)
2014 - 08(Aug)
2014 - 12(Dec)
2014 - 07(Jul)

lguinn2
Legend

You can't. Splunk sorts the legend based on the value of newPartName.
If it is in the format %Y-%b, then the months are going to sort alphabetically.

splunkmasterfle
Path Finder

It's true that changing the month to a digit will fix the issue. Thank you for the suggestion but my question is how do I sort the legend with the format %Y-%b.

0 Karma

lguinn2
Legend

Yes, Splunk automatically sorts by the "by" clause of the timechart command. Since newPartName is a string, I would expect it to sort exactly as it did.

That's why I set the format to "%Y-%m" instead of "%Y-%b" - because then it would sort by month number instead of month name.

0 Karma

splunkmasterfle
Path Finder

This is my search now



index=batch
| eval hours = (duration/(1000*60*60))
| rex field=partName "regular(?.*)"
| eval newPartTime = strftime(strptime(tmpDate + "01","%b%y%d"),"%Y-%b")
| timechart span=1d limit=15 sum(duration) by newPartTime

The legend is sorted alphabetically:


2014 - Apr
2014 - Aug
2014 - Dec
2014 - Jul
2014 - Jun
2014 - May
2014 - Nov
2014 - Oct
2014 - Sep
2015 - Apr
2015 - Fed
[...]

0 Karma

somesoni2
SplunkTrust
SplunkTrust

This does show legend for my sample view (appears in ascending order of time and values comes as this.
2014-10
2014-11
2014-12
2015-01
2015-02
2015-03
2015-04
2015-05

0 Karma

splunkmasterfle
Path Finder

This "works" but doesn't sort the values in the legend of my timechart, which is what I was asking

0 Karma

somesoni2
SplunkTrust
SplunkTrust

strptime(tmpDate,"%b%y") will return NULL as it requires a day part as well. It should be changed with strptime("01-".tmpDate,"%d-%b%y"), keeping remaining things same.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...